Kiara_Kat Posted April 1, 2007 Share Posted April 1, 2007 Hi guys. The following HJT log is from one of our users that is too shy to post it here for review. So I'm posting it for him. This is not my log. His original log was littered with spyware and other nasties, inlcuding a couple of Trojans :shock: . He's tried to clean it up some, and wants some opinions. Comments please? Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 19:27:17, on 31.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss[Caution] C:\WINDOWS\system32\winlogon[Caution] C:\WINDOWS\system32\services[Caution] C:\WINDOWS\system32\lsass[Caution] C:\WINDOWS\system32\svchost[Caution] C:\WINDOWS\System32\svchost[Caution] C:\WINDOWS\system32\ZoneLabs\vsmon[Caution] C:\WINDOWS\system32\spoolsv[Caution] C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution] C:\Program Files\Alwil Software\Avast4\ashServ[Caution] C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution] C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution] C:\Program Files\Java\jre1.5.0_11\bin\jusched[Caution] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution] C:\Program Files\Winamp\winampa[Caution] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution] C:\Program Files\MSN Messenger\MsnMsgr[Caution] C:\Program Files\MSN Messenger\usnsvc[Caution] C:\Program Files\Mozilla Firefox\firefox[Caution] C:\Documents and Settings\Teemu\TyÃÆÃâÃâöpÃÆÃâÃâöytÃÆÃâÃâä\HiJackThis_v2[Caution] R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\nmeinsxh.dll O2 - BHO: (no name) - {5FC32D8B-6888-4C33-88FD-C6996BB61C1C} - C:\WINDOWS\System32\gebcc.dll O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\System32\qomjjjg.dll O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate[Caution] /auto O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched[Caution]" O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates[Caution] /auto O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution] O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa[Caution] O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution]" O4 - HKLM\..\Run: [soundService] rundll32[Caution] "C:\WINDOWS\System32\lqrhthbd.dll",setvm O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution]" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine[Caution]" boot O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution] O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175253790968 O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll O20 - Winlogon Notify: qomjjjg - C:\WINDOWS\SYSTEM32\qomjjjg.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution] O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ[Caution] O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution] O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution] O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin[Caution] O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services[Caution] O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi[Caution] O23 - Service: NetMeeting etÃÆÃâÃâätyÃÆÃâÃâöpÃÆÃâÃâöydÃÆÃâÃâän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc[Caution] O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services[Caution] O23 - Service: EtÃÆÃâÃâätyÃÆÃâÃâöpÃÆÃâÃâöydÃÆÃâÃâän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr[Caution] O23 - Service: ÃÆÃââââ¬Ã¾lykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr[Caution] O23 - Service: Resurssilokit ja -hÃÆÃâÃâälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc[Caution] O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon[Caution] O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc[Caution] O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv[Caution] Remember, the SEARCH button is your friend. Use it! Link to comment Share on other sites More sharing options...
Doomster Posted April 2, 2007 Share Posted April 2, 2007 Unless it's a foreign version, the foreign stuff seems highly suspicious. The BHO's (O2's) seem very suspicious: First one http://www.castlecops.com/tk32250-no_name.html - yes, it's bad. Second one, gebcc.dll is identified as "winfixer" - badware 3rd one, no solid identification, but the GUID seems to have many bad references, and a pretty nonsense filename. Out of time now, but I don't like the look of the winupdate / winupdates - looks like a classic malware hide, unless there is a legitimate product it may be associated with. Link to comment Share on other sites More sharing options...
Dragontotem Posted April 2, 2007 Share Posted April 2, 2007 The foreign stuff is Finnish stuff, and it should be ok.. And those winupdates seems to be like windows' own stuff? [/url]">[4Th in Finland to achieve 99 mining. 3Rd of June 2007]Pixels make me horny. Link to comment Share on other sites More sharing options...
Doomster Posted April 3, 2007 Share Posted April 3, 2007 Winupdate and Winupdates - as what appear to be normal program entries, are highly suspicious, many google hits on them being worms. So far, I think I would fix: O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\nmeinsxh.dll O2 - BHO: (no name) - {5FC32D8B-6888-4C33-88FD-C6996BB61C1C} - C:\WINDOWS\System32\gebcc.dll O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\System32\qomjjjg.dll O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate[Caution] /auto O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates[Caution] /auto O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll O20 - Winlogon Notify: qomjjjg - C:\WINDOWS\SYSTEM32\qomjjjg.dll - With the Java entries that are "file missing", I'd be inclined to uninstall Java 5 (after completion of malware cleaning), clean up any more "file missing" issues, and then install Java 6. Link to comment Share on other sites More sharing options...
coltm4carbine Posted April 4, 2007 Share Posted April 4, 2007 Woops been to Madrid for a week... It looks like you've got vundo in there but can you give us a new log from HijackThis 1.99.1 - the old version. (notice the version you have now is BETA) Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now